Help Needed Rebuilding FreeIPA domain
by Sina Owolabi
Hi Friends
A few months ago I reported a problem with my FreeIPA domain where my
master IPA server could not start pki-tomcatd, and I could not find
what was causing the problem.
Operations such as host deletion, DNS modifications failed with
"ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)"
on the master but worked on the replicas.
I couldnt find a solution, also after seeking help on the list.
Now the replicas have the same problem, and I wonder if it would be
possible to setup a new master, migrate all existing configuration to
this new master, and recreate the domain on the problematic servers?
If this is kind of clean sweep is possible, can someone more skilled
than I, please advise on how to do this?
4 years, 11 months
cannot access webui
by Peter Zoltan Keresztes (zozo)
Hello,
I have just installed the new freeipa on ubuntu18.04 and I am trying to login as admin in the web ui but I am not able to do it so. I was looking for any kind of logs but I don’t seam to find a way to debug the problem
Any suggestion where to start looking?
Regards
Peter
4 years, 11 months
IPA's clients deny password auth to ssh - 6 (Permission denied) - but gssapi works.
by lejeczek
hi guys
A Putty ssh off a AD's Win10 client to IPA's client (non-master) works
with gssapi but without it and when need to use password I see:
pam_sss(sshd:auth): received for user myuser(a)mine.private: 6 (Permission
denied)
To make it more bizarre, that same Win10 client does ssh with
password(and gssapi) to IPA's masters just fine.
My IPA is pretty "vanilla" default after AD trust installation.
Any suggestions as to a cause of this misbehavior of IPA clients?
many thanks, L.
4 years, 11 months
kadmin service not running after installing ipa server
by Peter Zoltan Keresztes (zozo)
Hello
I have just installed ipa-server on ubuntu 18.04 and I have observed that the kadmin service is not running. While investigating the issue I’ve seen that is complaining about the not existance of the /etc/krb5kdc/kadm5.acl.
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
systemctl status krb5-admin-server.service
● krb5-admin-server.service - Kerberos 5 Admin Server
Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; disabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-admin-server.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Thu 2019-06-20 16:36:34 EDT; 3min 9s ago
Process: 13426 ExecStart=/usr/sbin/kadmind -nofork $DAEMON_ARGS (code=exited, status=1/FAILURE)
Main PID: 13426 (code=exited, status=1/FAILURE)
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: setsockopt(11,IPV6_V6ONLY,1) worked
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: Setting up RPC socket for address 0.0.0.0.749
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: Setting up RPC socket for address ::.749
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: setsockopt(13,IPV6_V6ONLY,1) worked
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: set up 6 sockets
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: No such file or directory while opening ACL file /etc/krb5kdc/kadm5.acl
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: Cannot open /etc/krb5kdc/kadm5.acl: No such file or directory while initializing ACL file, aborting
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> kadmind[13426]: kadmind: kadmind: Cannot open /etc/krb5kdc/kadm5.acl: No such file or directory while initializing ACL file, aborting
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> systemd[1]: krb5-admin-server.service: Main process exited, code=exited, status=1/FAILURE
Jun 20 16:36:34 ipadev.redcapcloud.com <http://ipadev.redcapcloud.com/> systemd[1]: krb5-admin-server.service: Failed with result 'exit-code’.
is there any way I can fix this?
regards,
Peter
4 years, 11 months
kadmin service not running after installing ipa server
by Keresztes Péter-Zoltán
Hello
I have just installed ipa-server on ubuntu 18.04 and I have observed that the kadmin service is not running. While investigating the issue I’ve seen that is complaining about the not existance of the /etc/krb5kdc/kadm5.acl.
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: STOPPED
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa: INFO: The ipactl command was successful
systemctl status krb5-admin-server.service
● krb5-admin-server.service - Kerberos 5 Admin Server
Loaded: loaded (/lib/systemd/system/krb5-admin-server.service; disabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/krb5-admin-server.service.d
└─slapd-before-kdc.conf
Active: failed (Result: exit-code) since Thu 2019-06-20 16:36:34 EDT; 3min 9s ago
Process: 13426 ExecStart=/usr/sbin/kadmind -nofork $DAEMON_ARGS (code=exited, status=1/FAILURE)
Main PID: 13426 (code=exited, status=1/FAILURE)
Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: setsockopt(11,IPV6_V6ONLY,1) worked
Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: Setting up RPC socket for address 0.0.0.0.749
Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: Setting up RPC socket for address ::.749
Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: setsockopt(13,IPV6_V6ONLY,1) worked
Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: set up 6 sockets
Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: No such file or directory while opening ACL file /etc/krb5kdc/kadm5.acl
Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: Cannot open /etc/krb5kdc/kadm5.acl: No such file or directory while initializing ACL file, aborting
Jun 20 16:36:34 ipadev.redcapcloud.com kadmind[13426]: kadmind: kadmind: Cannot open /etc/krb5kdc/kadm5.acl: No such file or directory while initializing ACL file, aborting
Jun 20 16:36:34 ipadev.redcapcloud.com systemd[1]: krb5-admin-server.service: Main process exited, code=exited, status=1/FAILURE
Jun 20 16:36:34 ipadev.redcapcloud.com systemd[1]: krb5-admin-server.service: Failed with result 'exit-code’.
is there any way I can fix this?
regards,
Peter
4 years, 11 months
Re: Cert expired for pki-tomcat and process would not start
by Sayfiddin, Farhad
This is affecting 3 out of 4 our IPA servers. Would you recommend any other solution for this issue?
We have only one CRL Master IPA server does not have this issue.
Would breaking the replication and recreating replica from one good CRL Master IPA server could work?
-----Original Message-----
From: Sayfiddin, Farhad via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Wednesday, June 19, 2019 2:51 PM
To: Florence Blanc-Renaud <flo(a)redhat.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Rob Crittenden <rcritten(a)redhat.com>
Subject: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not start
Thanks for your reply. In the journal I did not see anything meaningful when I ran "certmonger resubmit -i 20170214143200 "
Jan 07 20:23:29 sl1mmgplidm0002.ipa.gen.zone kernel: FINAL_REJECT: IN=ens192 OUT= MAC=00:50:56:b2:39:92:00:1c:7f:61:a6:27:08:00 SRC=10.48.10.142 DST=172.20.0.36 LEN=89 TOS=0x00 PREC=0x00 TTL=126 ID=28772 PROTO=UDP SPT=52233 DPT=161 LEN=69 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: [07/Jan/2019:20:23:32.598658399 -0600] csngen_new_csn - Warning: too much time skew (-14058896 secs). Current seqnum=1 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 1 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 2 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 3 Jan 07 20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: [07/Jan/2019:20:23:32.630614940 -0600] csngen_new_csn - Warning: too much time skew (-14058897 secs). Current seqnum=1 Jan 07 20:23:38 sl1mmgplidm0002.ipa.gen.zone kernel: FINAL_REJECT: IN=ens192 OUT= MAC=00:50:56:b2:39:92:00:1c:7f:61:a6:27:08:00 SRC=10.48.10.142 DST=172.20.0.36 LEN=89 TOS=0x00 PREC=0x00 TTL=126 ID=28773 PROTO=UDP SPT=59164 DPT=161 LEN=69 Jan 07 20:23:45 sl1mmgplidm0002.ipa.gen.zone certmonger[6749]: Certificate named "Server-Cert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20190108201652.
/var/log/pki/pki-tomcat/ca/debug did not generate anything when I ran "certmonger resubmit -i 20170214143200 "
Any thoughts?
-----Original Message-----
From: Florence Blanc-Renaud <flo(a)redhat.com>
Sent: Tuesday, June 18, 2019 11:20 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Rob Crittenden <rcritten(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not start
> Thanks for your response Rob, really appreciate it.
>
> I have stopped the IPA and went back in time of Jan 7 of 2019 since
> Server-Cert cert-pki-ca would expire on: 2019-01-08 20:16:52 UTC
>
> Started dirsrv, krb5kdc and pki-tomcatd(a)pki-tomcat.service manually.
>
> [root@sl1mmgplidm0002 ~]# date
> Mon Jan 7 20:23:50 CST 2019
> [root@sl1mmgplidm0002 ~]#
>
> [root@sl1mmgplidm0002 ~]# ipactl status Directory Service: RUNNING
> krb5kdc Service: RUNNING kadmin Service: STOPPED named Service:
> STOPPED ipa_memcached Service: STOPPED httpd Service: STOPPED
> ipa-custodia Service: STOPPED pki-tomcatd Service: STOPPED smb
> Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED
> ipa-dnskeysyncd Service: STOPPED
> ipa: INFO: The ipactl command was successful
> [root@sl1mmgplidm0002 ~]# systemctl status
> pki-tomcatd(a)pki-tomcat.service ● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
> Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
> Active: active (running) since Mon 2019-01-07 20:17:53 CST; 4min 59s ago
> Process: 58524 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS)
> Main PID: 58637 (java)
> CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
> └─58637 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tom...
>
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO:
> Starting ProtocolHandler ["http-bio-8443"] Jan 07 20:17:57
> sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, 2019 8:17:57 PM
> org.apache.coyote.AbstractProtocol start Jan 07 20:17:57
> sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Starting
> ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"] Jan 07 20:17:57
> sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener:
> org.apache.catalina.core.StandardServer[after_start]
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Subsystem CA is disabled.
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors.
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: To enable the subsystem:
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: pki-server subsystem-enable -i pki-tomcat ca
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07,
> 2019 8:17:57 PM org.apache.catalina.startup.Catalina start Jan 07
> 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Server
> startup in 2477 ms
> [root@sl1mmgplidm0002 ~]#
>
> Ran " certmonger resubmit -i 20170214143200" but cert is still showing to expires on same date, it is not forcing for it to update.
>
> Status is changed to Monitoring now, but it is only because I went back in time.
>
> Request ID '20170214143200':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
> expires: 2019-01-08 20:16:52 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
>
> I have tried to restart certmonger with no luck. Please advise.
>
Hi,
when you run certmonger resubmit, please have a look at the logs generated in the journal. When everything goes smoothly, you should be able to see the following steps in the journal (may be separated by other unrelated logs):
dogtag-ipa-ca-renew-agent-submit[20831]: Forwarding request to dogtag-ipa-renew-agent
dogtag-ipa-ca-renew-agent-submit[20831]: dogtag-ipa-renew-agent returned 5 The above 2 lines may appear multiple times and show that the CA helper is using another helper. This other command is directly contacting PKI and authenticates with the RA cert (the 'ipaCert' stored in /etc/http/alias). It is calling the profileSubmit API, then the profileReview API.
Then at around the same time in /var/log/pki/pki-tomcat/ca/debug, check if there is a line with "uri = /ca/ee/ca/profileSubmit" and another one with "uri = /ca/ee/ca/profileReview". This shows that the PKI server received a renewal request. The following lines may help diagnose any issue (for instance the authentication failed).
flo
> -----Original Message-----
> From: Rob Crittenden <rcritten(a)redhat.com>
> Sent: Monday, June 17, 2019 2:17 PM
FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process
> would not start
>
>> Here is the output of getcert list
>
> I think if you stop IPA, go back in time to when this server cert is
> valid (it is the TLS cert for the CA server) and manually start
> dirsrv, dogtag and krb5 then run certmonger resubmit -i 20170214143200
>
> You want to be sure ntpd (or chronyc) isn't running to force time back to now.
>
> rob
>
>>
>> [root@sl1mmgplidm0002 ~]# getcert list Number of certificates and
>> requests being tracked: 8.
>> Request ID '20170214143155':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=CA Audit,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:55 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143156':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:54 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143157':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=CA Subsystem,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:53:15 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143158':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=Certificate Authority,O=IPA.GEN.ZONE
>> expires: 2037-01-18 20:02:36 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143159':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=IPA RA,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:44 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143200':
>> status: CA_UNREACHABLE
>> ca-error: Error 60 connecting to https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2019-01-08 20:16:52 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143201':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2020-12-23 03:40:21 UTC
>> principal name: ldap/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-GEN-ZONE
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143202':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2020-12-23 03:40:31 UTC
>> principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>>
>> Already tried this solution with no luck:
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpre
>> s
>> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dw
>> i
>> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrp
>> S
>> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnO
>> q
>> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn
>> 3
>> 204Kkt_3BRIc80&e=
>>
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L
>>
>> Certificate Nickname Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Server-Cert u,u,u
>> ipaCert u,u,u
>> IPA.GEN.ZONE IPA CA CT,C,C
>>
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t ',,'
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t 'CT,C,C'
>>
>> Curl command still fails
>>
>> [root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://urldefense.proofpoint.com/v2/url?u=https-3A__-2560hostname-2560-3...
>> % Total % Received % Xferd Average Speed Time Time Time Current
>> Dload Upload Total Spent Left Speed
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0)
>> * Trying 172.20.0.36...
>> * Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443
>> (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias/
>> * CAfile: /etc/ipa/ca.crt
>> CApath: none
>> * Server certificate:
>> * subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> * start date: Jan 18 20:16:52 2017 GMT
>> * expire date: Jan 08 20:16:52 2019 GMT
>> * common name: sl1mmgplidm0002.ipa.gen.zone
>> * issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> * NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
>> * Peer's Certificate has expired.
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
>> * Closing connection 0
>> curl: (60) Peer's Certificate has expired.
>> More details here:
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__curl.haxx.se_docs
>> _
>> sslcerts.html&d=DwIDaQ&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&
>> r
>> =d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=Z8zd7LpACPgATImRFhdrk5
>> 2
>> 3IIIKpfTP44sN22Z5k5k&s=PkVO7ngwiWZqwUzfzDqJ6HiWaal9XEglmhYc4u_gkps&e=
>>
>> curl performs SSL certificate verification by default, using a "bundle"
>> of Certificate Authority (CA) public keys (CA certs). If the default
>> bundle file isn't adequate, you can specify an alternate file
>> using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>> the bundle, the certificate verification probably failed due to a
>> problem with the certificate (it might be expired, or the name might
>> not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>> the -k (or --insecure) option.
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden <rcritten(a)redhat.com>
>> Sent: Thursday, June 13, 2019 4:08 PM
>> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> Cc: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com>
>> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process
>> would not start
>>
>>> We have two replica servers sl1mmgplidm0001/2.
>>>
>>>
>>>
>>> sl1mmgplidm0001 is functioning as CRL master and has no issues.
>>>
>>>
>>>
>>> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
>>>
>>> IPA CA renewal master: sl1mmgplidm0001
>>>
>>> [root@sl1mmgplidm0001 ~]#
>>>
>>>
>>>
>>> [root@sl1mmgplidm0001 ~]# ipactl status
>>>
>>> Directory Service: RUNNING
>>>
>>> krb5kdc Service: RUNNING
>>>
>>> kadmin Service: RUNNING
>>>
>>> named Service: RUNNING
>>>
>>> ipa_memcached Service: RUNNING
>>>
>>> httpd Service: RUNNING
>>>
>>> ipa-custodia Service: RUNNING
>>>
>>> pki-tomcatd Service: RUNNING
>>>
>>> smb Service: RUNNING
>>>
>>> winbind Service: RUNNING
>>>
>>> ipa-otpd Service: RUNNING
>>>
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> ipa: INFO: The ipactl command was successful
>>>
>>> [root@sl1mmgplidm0001 ~]#
>>>
>>>
>>>
>>> sl1mmgplidm0002 is having an issue where pki-tomcat process would
>>> not start due to expired cert. It has CA_UNREACHABLE error
>>>
>>>
>>>
>>> [root@sl1mmgplidm0002 ~]# ipactl status
>>>
>>> Directory Service: RUNNING
>>>
>>> krb5kdc Service: RUNNING
>>>
>>> kadmin Service: RUNNING
>>>
>>> named Service: RUNNING
>>>
>>> ipa_memcached Service: RUNNING
>>>
>>> httpd Service: RUNNING
>>>
>>> ipa-custodia Service: RUNNING
>>>
>>> pki-tomcatd Service: STOPPED
>>>
>>> smb Service: RUNNING
>>>
>>> winbind Service: RUNNING
>>>
>>> ipa-otpd Service: RUNNING
>>>
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> ipa: INFO: The ipactl command was successful
>>>
>>> [root@sl1mmgplidm0002 ~]#
>>>
>>>
>>>
>>> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200
>>> Request ID '20170214143200':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Error 60 connecting to
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002
>>> -
>>> 3
>>> A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e= : Peer certificate cannot be authenticated with given CA certificates.
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer
>>> t cert-pki-ca',token='NSS Certificate DB',pin set
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer
>>> t cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=IPA
>>>
>>> subject: CN=sl1mmgplidm0002,O=IPA
>>>
>>> expires: 2019-01-08 20:16:52 UTC
>>>
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>
>>> [root@sl1mmgplidm0002 ~]#
>>>
>>>
>>>
>>> Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
>>
>> Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't help.
>>
>> We need to see the full output of getcert list to see what status all the certs are in.
>>
>> You might also try this:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpre
>> s
>> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dw
>> i
>> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrp
>> S
>> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnO
>> q
>> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn
>> 3
>> 204Kkt_3BRIc80&e=
>>
>> rob
>>
>
> _______________________________________________
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...
4 years, 11 months
Password policy character classes - 8-bit characters?
by Jonathan Vaughn
If I am reading the documentation right, the effect of having the "8-bit"
character class (decimal 128 or less - though this seems more like 7 bit
plus decimal 128) is that if you change the password policy character
classes from 0 (no checking) to 1, almost anything will match, but unicode
characters wouldn't match (so you'd require at least 1 non-unicode non-high
ASCII character, excepting of course the oddball decimal 128). Thus,
ignoring unicode, if you want to match at least 3 of the other normal
classes (upper/lower/digits/special) you'd actually need to set this value
to 4?
Also, is there a particular reason this character class exists (not to
mention the cutoff being 128 "8-bit" not 127 for 7-bit or 255 for 8-bit)?
I'm not seeing an obvious use for it other than to be confusing (and
potentially reduce your intended complexity by one if you weren't paying
attention)
4 years, 11 months
Re: Cert expired for pki-tomcat and process would not start
by Florence Blanc-Renaud
On 6/17/19 11:05 PM, Sayfiddin, Farhad via FreeIPA-users wrote:
> Thanks for your response Rob, really appreciate it.
>
> I have stopped the IPA and went back in time of Jan 7 of 2019 since Server-Cert cert-pki-ca would expire on: 2019-01-08 20:16:52 UTC
>
> Started dirsrv, krb5kdc and pki-tomcatd(a)pki-tomcat.service manually.
>
> [root@sl1mmgplidm0002 ~]# date
> Mon Jan 7 20:23:50 CST 2019
> [root@sl1mmgplidm0002 ~]#
>
> [root@sl1mmgplidm0002 ~]# ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: STOPPED
> named Service: STOPPED
> ipa_memcached Service: STOPPED
> httpd Service: STOPPED
> ipa-custodia Service: STOPPED
> pki-tomcatd Service: STOPPED
> smb Service: STOPPED
> winbind Service: STOPPED
> ipa-otpd Service: STOPPED
> ipa-dnskeysyncd Service: STOPPED
> ipa: INFO: The ipactl command was successful
> [root@sl1mmgplidm0002 ~]# systemctl status pki-tomcatd(a)pki-tomcat.service
> ● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server pki-tomcat
> Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled)
> Active: active (running) since Mon 2019-01-07 20:17:53 CST; 4min 59s ago
> Process: 58524 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS)
> Main PID: 58637 (java)
> CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
> └─58637 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tom...
>
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Starting ProtocolHandler ["http-bio-8443"]
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, 2019 8:17:57 PM org.apache.coyote.AbstractProtocol start
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Starting ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"]
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: org.apache.catalina.core.StandardServer[after_start]
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Subsystem CA is disabled.
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors.
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: To enable the subsystem:
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: pki-server subsystem-enable -i pki-tomcat ca
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, 2019 8:17:57 PM org.apache.catalina.startup.Catalina start
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Server startup in 2477 ms
> [root@sl1mmgplidm0002 ~]#
>
> Ran " certmonger resubmit -i 20170214143200" but cert is still showing to expires on same date, it is not forcing for it to update.
>
> Status is changed to Monitoring now, but it is only because I went back in time.
>
> Request ID '20170214143200':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
> expires: 2019-01-08 20:16:52 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
>
> I have tried to restart certmonger with no luck. Please advise.
>
Hi,
when you run certmonger resubmit, please have a look at the logs
generated in the journal. When everything goes smoothly, you should be
able to see the following steps in the journal (may be separated by
other unrelated logs):
dogtag-ipa-ca-renew-agent-submit[20831]: Forwarding request to
dogtag-ipa-renew-agent
dogtag-ipa-ca-renew-agent-submit[20831]: dogtag-ipa-renew-agent returned 5
The above 2 lines may appear multiple times and show that the CA helper
is using another helper. This other command is directly contacting PKI
and authenticates with the RA cert (the 'ipaCert' stored in
/etc/http/alias). It is calling the profileSubmit API, then the
profileReview API.
Then at around the same time in /var/log/pki/pki-tomcat/ca/debug, check
if there is a line with "uri = /ca/ee/ca/profileSubmit" and another one
with "uri = /ca/ee/ca/profileReview". This shows that the PKI server
received a renewal request. The following lines may help diagnose any
issue (for instance the authentication failed).
flo
> -----Original Message-----
> From: Rob Crittenden <rcritten(a)redhat.com>
> Sent: Monday, June 17, 2019 2:17 PM
> To: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com>; FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process would not start
>
> Sayfiddin, Farhad wrote:
>> Here is the output of getcert list
>
> I think if you stop IPA, go back in time to when this server cert is valid (it is the TLS cert for the CA server) and manually start dirsrv, dogtag and krb5 then run certmonger resubmit -i 20170214143200
>
> You want to be sure ntpd (or chronyc) isn't running to force time back to now.
>
> rob
>
>>
>> [root@sl1mmgplidm0002 ~]# getcert list Number of certificates and
>> requests being tracked: 8.
>> Request ID '20170214143155':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=CA Audit,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:55 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143156':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:54 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143157':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=CA Subsystem,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:53:15 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143158':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=Certificate Authority,O=IPA.GEN.ZONE
>> expires: 2037-01-18 20:02:36 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143159':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=IPA RA,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:44 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143200':
>> status: CA_UNREACHABLE
>> ca-error: Error 60 connecting to https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2019-01-08 20:16:52 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143201':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2020-12-23 03:40:21 UTC
>> principal name: ldap/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-GEN-ZONE
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143202':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2020-12-23 03:40:31 UTC
>> principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>>
>> Already tried this solution with no luck:
>>
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpres
>> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dwi
>> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpS
>> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOq
>> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn3
>> 204Kkt_3BRIc80&e=
>>
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L
>>
>> Certificate Nickname Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Server-Cert u,u,u
>> ipaCert u,u,u
>> IPA.GEN.ZONE IPA CA CT,C,C
>>
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t ',,'
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t 'CT,C,C'
>>
>> Curl command still fails
>>
>> [root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://urldefense.proofpoint.com/v2/url?u=https-3A__-2560hostname-2560-3...
>> % Total % Received % Xferd Average Speed Time Time Time Current
>> Dload Upload Total Spent Left Speed
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0)
>> * Trying 172.20.0.36...
>> * Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443
>> (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias/
>> * CAfile: /etc/ipa/ca.crt
>> CApath: none
>> * Server certificate:
>> * subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> * start date: Jan 18 20:16:52 2017 GMT
>> * expire date: Jan 08 20:16:52 2019 GMT
>> * common name: sl1mmgplidm0002.ipa.gen.zone
>> * issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> * NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
>> * Peer's Certificate has expired.
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
>> * Closing connection 0
>> curl: (60) Peer's Certificate has expired.
>> More details here:
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__curl.haxx.se_docs_
>> sslcerts.html&d=DwIDaQ&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r
>> =d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=Z8zd7LpACPgATImRFhdrk52
>> 3IIIKpfTP44sN22Z5k5k&s=PkVO7ngwiWZqwUzfzDqJ6HiWaal9XEglmhYc4u_gkps&e=
>>
>> curl performs SSL certificate verification by default, using a "bundle"
>> of Certificate Authority (CA) public keys (CA certs). If the default
>> bundle file isn't adequate, you can specify an alternate file
>> using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>> the bundle, the certificate verification probably failed due to a
>> problem with the certificate (it might be expired, or the name might
>> not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>> the -k (or --insecure) option.
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden <rcritten(a)redhat.com>
>> Sent: Thursday, June 13, 2019 4:08 PM
>> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> Cc: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com>
>> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process
>> would not start
>>
>> Sayfiddin, Farhad via FreeIPA-users wrote:
>>> We have two replica servers sl1mmgplidm0001/2.
>>>
>>>
>>>
>>> sl1mmgplidm0001 is functioning as CRL master and has no issues.
>>>
>>>
>>>
>>> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
>>>
>>> IPA CA renewal master: sl1mmgplidm0001
>>>
>>> [root@sl1mmgplidm0001 ~]#
>>>
>>>
>>>
>>> [root@sl1mmgplidm0001 ~]# ipactl status
>>>
>>> Directory Service: RUNNING
>>>
>>> krb5kdc Service: RUNNING
>>>
>>> kadmin Service: RUNNING
>>>
>>> named Service: RUNNING
>>>
>>> ipa_memcached Service: RUNNING
>>>
>>> httpd Service: RUNNING
>>>
>>> ipa-custodia Service: RUNNING
>>>
>>> pki-tomcatd Service: RUNNING
>>>
>>> smb Service: RUNNING
>>>
>>> winbind Service: RUNNING
>>>
>>> ipa-otpd Service: RUNNING
>>>
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> ipa: INFO: The ipactl command was successful
>>>
>>> [root@sl1mmgplidm0001 ~]#
>>>
>>>
>>>
>>> sl1mmgplidm0002 is having an issue where pki-tomcat process would not
>>> start due to expired cert. It has CA_UNREACHABLE error
>>>
>>>
>>>
>>> [root@sl1mmgplidm0002 ~]# ipactl status
>>>
>>> Directory Service: RUNNING
>>>
>>> krb5kdc Service: RUNNING
>>>
>>> kadmin Service: RUNNING
>>>
>>> named Service: RUNNING
>>>
>>> ipa_memcached Service: RUNNING
>>>
>>> httpd Service: RUNNING
>>>
>>> ipa-custodia Service: RUNNING
>>>
>>> pki-tomcatd Service: STOPPED
>>>
>>> smb Service: RUNNING
>>>
>>> winbind Service: RUNNING
>>>
>>> ipa-otpd Service: RUNNING
>>>
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> ipa: INFO: The ipactl command was successful
>>>
>>> [root@sl1mmgplidm0002 ~]#
>>>
>>>
>>>
>>> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200
>>> Request ID '20170214143200':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Error 60 connecting to
>>> https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002-
>>> 3
>>> A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e= : Peer certificate cannot be authenticated with given CA certificates.
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB',pin set
>>>
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
>>> cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=IPA
>>>
>>> subject: CN=sl1mmgplidm0002,O=IPA
>>>
>>> expires: 2019-01-08 20:16:52 UTC
>>>
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>
>>> [root@sl1mmgplidm0002 ~]#
>>>
>>>
>>>
>>> Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
>>
>> Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't help.
>>
>> We need to see the full output of getcert list to see what status all the certs are in.
>>
>> You might also try this:
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpres
>> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dwi
>> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpS
>> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOq
>> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn3
>> 204Kkt_3BRIc80&e=
>>
>> rob
>>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
4 years, 11 months
Better to Backup / Restore to new server ?
by Karim Bourenane
Hello
I need your recommandation about the upgrade/restore from FreeIPA server
actually in V 4.5.0 APIV 2.228 to V4.6.4 API 2.230 or last.
Is better to Backup / Restore from the old to New IPA server, or to start
ipa-server-upgrade from the old server ?
As you know my old IPA version use the bgp key for replication, that mean i
need to stop/suppress the replication before and i upgrade the old servers
?
Thaks you, for your help.
Regard
4 years, 11 months
Stage user is not recognized without objectClass posixaccount
by Dmitry Perets
Hi,
I observe a weird problem, trying to figure out how it could happen...
On one of my IPA installations, IPA doesn't recognize stage users, UNLESS they include objectClass posixaccount.
For example, below output shows a staged user that I've manually added with "ldapmodify", but as you can see, it is not found with "ipa stageuser-find":
```
$ ldapsearch -Y GSSAPI uid=atest
SASL/GSSAPI authentication started
SASL username: admin(a)IMS.DCN.EXAMPLE.DE
SASL SSF: 256
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=ims,dc=dcn,dc=example,dc=de> (default) with scope subtree
# filter: uid=atest
# requesting: ALL
#
# atest, staged users, accounts, provisioning, ims.dcn.example.de
dn: uid=atest,cn=staged users,cn=accounts,cn=provisioning,dc=ims,dc=dcn,dc=ex
ample,dc=de
objectClass: top
objectClass: inetorgperson
objectClass: organizationalPerson
objectClass: person
uid: atest
sn: atest
givenName: atest
cn: atest
# search result
search: 4
result: 0 Success
# numResponses: 2
# numEntries: 1
```
```
$ ipa stageuser-find
WARNING: yacc table file version is out of date
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
```
This user will be recognized, if I add the following attributes:
objectClass: posixaccount
uidNumber: -1
gidNumber: -1
homeDirectory: /home/atest
But this is not supposed to be so... and in fact, on another IPA installation (totally separate) I don't see this constraint. The same LDIF (just different base DN) gets properly recognized as staged user!
I was comparing the entire cn=config and the IPA server configuration section, but I cannot find what setting can possibly affect this...
Can you help with an idea please?
4 years, 11 months